AD: Mark globals in ad_opts.h as extern To avoid collisions when we want to work with them elsewhere in the code. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

DYNDNS: Add a new option dyndns_server Some environments use a different DNS server than identity server. For these environments, it would be useful to be able to override the DNS server used to perform DNS updates. This patch adds a new option dyndns_server that, if set, would be used to hardcode a DNS server address into the nsupdate message. Reviewed-by: Pavel Reichl <preichl@redhat.com>

LDAP: Add the wildcard_limit option Related: https://fedorahosted.org/sssd/ticket/2553 Adds a new wildcard_limit option that is set by default to 1000 (one page). This option limits the number of entries that can by default be returned by a wildcard search. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

LDAP: add ldap_user_certificate option Related to https://fedorahosted.org/sssd/ticket/2596 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

AD GPO: Change default to "enforcing" When a user enrolls a system against Active Directory, the expectation is that the client will honor the centrally-managed settings. In the past, we avoided changing the default (and left it in permissive mode, to warn admins that the security policy wasn't being honored) in order to avoid breaking existing Active Directory enrollments. However, sufficient time has likely passed for users to become accustomed to using GPOs to manage access-control for their systems. This patch changes the default to enforcing and adds a configure flag for distributions to use if they wish to provide a different default value. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

krb5: new option krb5_map_user New option `krb5_map_user` providing mapping of ID provider names to Kerberos principals. Resolves: https://fedorahosted.org/sssd/ticket/2509 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

LDAP: disable the cleanup task by default Resolves: https://fedorahosted.org/sssd/ticket/2627 The cleanup task was designed to keep the cache size within certain limits. This is how it roughly works now: - find users who have never logged in by default. If account_cache_expiration is set, find users who loggged in later than account_cache_expiration - delete the matching set of users - find groups that have no members - delete the matching set of groups So unless account_cache_expiration is set to something sensible, only empty groups and expired users who never logged in are removed and that's quite a corner case. The above effectivelly walks the whole database, especially the groups step is quite slow with a huge database. The whole cleanup task also runs in a single sysdb transaction, which means all other transactions are blocked while the cleanup task crunches the database. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

ad_opts: Use different default attribute for group name The MSFT docs [1,2] for LDAP attributes says: samAccountName is mandotory for 'user' and 'group' objectclasses via the 'Security-Principal' aux-class name is part of the 'top' class and *not* mandatory for 'user' or 'group'. [1] https://msdn.microsoft.com/en-us/library/ms679635%28v=vs.85%29.aspx [2] https://msdn.microsoft.com/en-us/library/ms678697%28v=vs.85%29.aspx Resolves: https://fedorahosted.org/sssd/ticket/2593 Reviewed-by: Sumit Bose <sbose@redhat.com>

AD: add new option ad_site This option overrides a result of the automatic site discovery. Resolves: https://fedorahosted.org/sssd/ticket/2486 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

Skip CHAUTHTOK_PRELIM when using OTPs https://fedorahosted.org/sssd/ticket/2484 When OTPs are used, we can only used each authtoken at most once. When it comes to Kerberos password changes, this was only working previously by accident, because the old authtoken was first used to verify the old password is valid and not expired and then also to acquire a chpass principal. This patch looks at the user object in LDAP to check if the user has any OTPs enabled. If he does, the CHAUTHTOK_PRELIM step is skipped completely so that the OTP can be used to acquire the chpass ticket later. Reviewed-by: Sumit Bose <sbose@redhat.com>

AD/IPA: add krb5_confd_path configuration option With this new parameter the directory where Kerberos configuration snippets are created can be specified. Fixes https://fedorahosted.org/sssd/ticket/2473 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Revert "LDAP: Remove unused option ldap_group_uuid" This reverts commit b5242c146cc0ca96e2b898a74fb060efda15bc77. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Revert "LDAP: Remove unused option ldap_user_uuid" This reverts commit dfb2960ab251f609466fa660449703835c97f99a. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Add alternative objectClass to group attribute maps In IPA we sometimes need to use posixGroup and sometimes groupOfNames objectclass to query the groups. This patch adds the possibility to specify alternative objectclass in group maps. By default it is only set for IPA. Fixes: https://fedorahosted.org/sssd/ticket/2436 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

AD-GPO: config changes for gpo_map_* options Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

SDAP: new option - DN to ppolicy on LDAP To check value of pwdLockout attribute on LDAP server, DN of ppolicy must be set. Resolves: https://fedorahosted.org/sssd/ticket/2364 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

AD-GPO: add ad_gpo_cache_timeout option Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

LDAP: Remove unused option ldap_user_uuid There is problem with OpenLDAP server and dereferencing of attributes that is not in the schema of the server? sh-4.2$ ldapsearch -x -LLL -h openldap.server.test -b 'dc=example,dc=com' \ -E 'deref=member:uid,dummy_attr' cn=ref_grp Protocol error (2) Additional information: Dereference control: attribute decoding error sh-4.2$ echo $? 2 The attribute nsUniqueID is a 389-only, non-standard attribute. It is an operational attribute that is not in the rfc2307bis nor inetOrgPerson nor posixAccount schema. It was a default value of option ldap_user_uuid, but it was not use anywhere. Resolves: https://fedorahosted.org/sssd/ticket/2383 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

LDAP: Remove unused option ldap_group_uuid Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

LDAP: Remove unused option ldap_netgroup_uuid Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

PROVIDERS: Add ldap_common.h to opts.h of each provider the opts.h files were consuming some #defines from ldap_common.h (such as SSS_LDAP_SRV_NAME) without including ldap_common.h. That's bad practice and break programs that wish to just include the opts.h header. Reviewed-by: Michal Židek <mzidek@redhat.com>

SDAP: Add option to disable use of Token-Groups Disabling use of Token-Groups is mandatory if expansion of nested groups is not desired (ldap_group_nesting_level = 0) for AD provider. Resolves: https://fedorahosted.org/sssd/ticket/2294 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Implemented LDAP component of GPO-based access control Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

LDAP: Make it possible to extend an attribute map https://fedorahosted.org/sssd/ticket/2073 This commit adds a new option ldap_user_extra_attrs that is unset by default. When set, the option contains a list of LDAP attributes the LDAP provider would download and store in addition to the usual set. The list can either contain LDAP attribute names only, or colon-separated tuples of LDAP attribute and SSSD cache attribute name. In case only LDAP attribute name is specified, the attribute is saved to the cache verbatim. Using a custom SSSD attribute name might be required by environments that configure several SSSD domains with different LDAP schemas. Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>

AD: Add a new option to turn off GC lookups SSSD now defaults to using GC by default. For some environments, for instance those that don't or can't replicate the POSIX attributes to Global Catalog, this might not be desirable. This patch introduces a new option ad_enable_gc, that is enabled by default. Setting this option to false makes the SSSD contact only the LDAP port of AD DCs.

Add new option ldap_group_type

Add ldap_autofs_map_master_name option

AD: Add a new option ad_access_filter This patch just adds the option, it doesn't do anything useful yet. Related: https://fedorahosted.org/sssd/ticket/2082

krb5: Fetch ccname template from krb5.conf In order to use the same defaults in all system daemons that needs to know how to generate or search for ccaches we introduce ode here to take advantage of the new option called default_ccache_name provided by libkrb5. If set this variable we establish the same default for all programs that surce it out of krb5.conf therefore providing a consistent experience across the system. Related: https://fedorahosted.org/sssd/ticket/2036

AD: Set the bool value same as default value in opts https://fedorahosted.org/sssd/ticket/2023 When the option values are copied using dp_opt_copy_map, the .val member is used if it's not NULL. At the same time, the bool options are never NULL, unlike integers or strings that can have special NULL-like values such as NULL_STRING. This effectively means that when copying a bool option, the .val member is always used. But in the AD maps, some .val fields were set differently from the .def_val fields. The effect was that when the AD subdomain provider was initialized from IPA subdomain provider using only the defaults, some options (notably referral chasing) were set to a value that didn't make sense for the AD provider. This patch makes sure that for all boolean option, the .val is always the same as .def_val.

Add now options ldap_min_id and ldap_max_id Currently the range for Posix IDs stored in an LDAP server is unbound. This might lead to conflicts in a setup with AD and trusts when the configured domain uses IDs from LDAP. With the two noe options this conflict can be avoided.

A new option krb5_use_kdcinfo https://fedorahosted.org/sssd/ticket/1883 The patch introduces a new Kerberos provider option called krb5_use_kdcinfo. The option is true by default in all providers. When set to false, the SSSD will not create krb5 info files that the locator plugin consumes and the user would have to set up the Kerberos options manually in krb5.conf

Adding option to disable retrieving large AD groups. This commit adds new option ldap_disable_range_retrieval with default value FALSE. If this option is enabled, large groups(>1500) will not be retrieved and behaviour will be similar like was before commit ae8d047122c "LDAP: Handle very large Active Directory groups" https://fedorahosted.org/sssd/ticket/1823

Enable the AD dynamic DNS updates by default https://fedorahosted.org/sssd/ticket/1915

Active Directory dynamic DNS updates https://fedorahosted.org/sssd/ticket/1504 Implements dynamic DNS updates for the AD provider. By default, the updates also update the reverse zone and run periodically every 24 hours.

DNS sites support - add AD SRV plugin https://fedorahosted.org/sssd/ticket/1032

Allow usage of enterprise principals Enterprise principals are currently most useful for the AD provider and hence enabled here by default while for the other Kerberos based authentication providers they are disabled by default. If additional UPN suffixes are configured for the AD domain the user principal stored in the AD LDAP server might not contain the real Kerberos realm of the AD domain but one of the additional suffixes which might be completely randomly chooses, e.g. are not related to any existing DNS domain. This make it hard for a client to figure out the right KDC to send requests to. To get around this enterprise principals (see http://tools.ietf.org/html/rfc6806 for details) were introduced. Basically a default realm is added to the principal so that the Kerberos client libraries at least know where to send the request to. It is not in the responsibility of the KDC to either handle the request itself, return a client referral if he thinks a different KDC can handle the request or return and error. This feature is also use to allow authentication in AD environments with cross forest trusts. Fixes https://fedorahosted.org/sssd/ticket/1842

Allow setting krb5_renew_interval with a delimiter https://fedorahosted.org/sssd/ticket/902 changed the data type the krb5_renew_interval to string. function krb5_string_to_deltat is used to convert and allow delimiters

ldap: Fallback option for rfc2307 schema Add option to fallback to fetch local users if rfc2307is being used. This is useful for cases where people added local users as LDAP members and rely on these group memberships to be maintained on the local host. Disabled by default as it violates identity domain separation. Ticket: https://fedorahosted.org/sssd/ticket/1020

Decrease krb5_auth_timeout default https://fedorahosted.org/sssd/ticket/1738

Fix default upper limit of slices https://fedorahosted.org/sssd/ticket/1537 changes upper limit of slices to 2000200000 in providers code and manpage.

Flip the default value of ldap_initgroups_use_matching_rule_in_chain https://fedorahosted.org/sssd/ticket/1535

Change default for ldap_idmap_range_min to 200000 https://fedorahosted.org/sssd/ticket/1462

Primary server support: new option in AD provider This patch adds support for new config option ad_backup_server. The description of this option's functionality is included in man page in one of previous patches.

Primary server support: new options in krb5 provider This patch adds support for new config options krb5_backup_server and krb5_backup_kpasswd. The description of this option's functionality is included in man page in one of previous patches.

Primary server support: new option in ldap provider This patch adds support for new config option ldap_backup_uri. The description of this option's functionality is included in man page in previous patch.

AD: Fix defaults for krb5_canonicalize The AD provider cannot function with canonicalization because of a bug in Active Directory rendering it unable to complete a password-change while canonicalization is enabled.

AD: Add missing DP option terminator

AD: use krb5_keytab for validation and GSSAPI This simplifies configuration by eliminating the need to specifiy both krb5_keytab and ldap_krb5_keytab if the keytab is not located at /etc/krb5.keytab

AD: Add AD access-control provider This patch adds support for checking whether a user is expired or disabled in AD.

AD: Add AD identity provider This new identity provider takes advantage of existing code for the LDAP provider, but provides sensible defaults for operating against an Active Directory 2008 R2 or later server.